uv icon indicating copy to clipboard operation
uv copied to clipboard
verified publisher icon astral-sh

UV publish with index name does not read environment credentials

Open sfriedowitz opened this issue 1 year ago • 5 comments

I was very excited to see the functionality with uv publish --index <index> come out in version 0.5.8 with this PR https://github.com/astral-sh/uv/pull/9694, but I don't think it behaves quite as I expected. It does not appear that publishing reads the UV_INDEX_MYINDEX_USERNAME and UV_INDEX_MYINDEX_PASSWORD for credentials when publishing.

Is this expected behavior? And if so, would it be possible to add support for reading credentials from those existing environment variables?

sfriedowitz avatar Dec 12 '24 16:12 sfriedowitz

I think it seems reasonable to pass the configuration to the publish URL. What do you think, @konstin @zanieb?

charliermarsh avatar Dec 13 '24 22:12 charliermarsh

Oh interesting. Do you expect the credentials for publishing to be the same as the ones for reading?

I'd expect them to be used, but I worry a different credential will be required?

zanieb avatar Dec 13 '24 22:12 zanieb

Is the implication that you might want a different environment variable?

charliermarsh avatar Dec 14 '24 01:12 charliermarsh

At least for the private PyPI repository we run in my organization, the publishing and reading credentials are the same. So it seemed intuitive that the UV_INDEX_<NAME> variables would be used.

But perhaps the UV_INDEX variables could be used in the absence of the UV_PUBLISH variables?

sfriedowitz avatar Dec 14 '24 02:12 sfriedowitz

We can add UV_INDEX_ as lowest priority credential source, behind CLI,UV_PUBLISH_ and (if used) the keyring.

konstin avatar Dec 17 '24 10:12 konstin

We can add UV_INDEX_ as lowest priority credential source, behind CLI,UV_PUBLISH_ and (if used) the keyring.

That would be perfect, thank you !

sfriedowitz avatar Dec 18 '24 02:12 sfriedowitz

We publish Python libraries to a private Artifactory registry and use separate credentials for read-only operations and for publishing. Those are easy enough to map to the same environment variable names if needed but IMO it'd be nicer to be able to use different names when reading (installing dependencies) vs writing (publishing).

We can add UV_INDEX_ as lowest priority credential source, behind CLI,UV_PUBLISH_ and (if used) the keyring.

This option sounds great - this would let us use UV_PUBLISH_ for publishing operations and UV_INDEX_ for read-only operations - having the two "look" different is less confusing IMO.

menzenski avatar Dec 30 '24 18:12 menzenski

We publish to private GitLab projects with individual credentials for every project. In GitLab all the packages from one group are available accessing the group package registry(https://docs.gitlab.com/ee/user/packages/package_registry/#view-packages).

In this scenario the publish token for pushing the package to the project is not the same as the read token for getting the packages from the group registry. So in this case it would be nice, when UV_PUBLISH_ would be used to authenticate with publish-url and UV_INDEX_<name> would be used to authenticate with index <name> to read/check dependencies.

SalttownUser avatar Jan 08 '25 15:01 SalttownUser

Reviewing our authentication system, i'm less inclined to do this: We currently fall back to prompting the user for username and password if there isn't any set. When index credentials and upload credentials are not the same (they usually should be different, since regular uv operations should have less privileges than publish), we would then instead of prompting use the wrong credentials from UV_INDEX_* and fail.

konstin avatar Jan 28 '25 15:01 konstin

I couldn't find any comment about using .netrc or .pypirc to store credentials for uv publish. Although I have both, uv doesn't use any of them.

erny avatar Mar 04 '25 13:03 erny

uv does not read .netrc or .pypirc for publishing, we currently only support the keyring as persistent password storage.

konstin avatar Mar 04 '25 13:03 konstin

@konstin -- It seems like .netrc could make sense, what do you think?

charliermarsh avatar Mar 04 '25 13:03 charliermarsh

Both files are standards that we can support (https://everything.curl.dev/usingcurl/netrc.html, https://packaging.python.org/en/latest/specifications/pypirc/), and we already support netrc for index authenticaton (i.e. we only have to wire this to publish, too), with the caveat that I'd generally nudge people towards the system keyring as a safer alternative to storing password in a plain text file.

konstin avatar Mar 04 '25 14:03 konstin

I went through this page in the documentation and got surprised that setting the UV_PUBLISH_USERNAME and UV_PUBLISH_PASSWORD allowed me to publish to a private repository (nexus and not the codeartifact) without being prompted for credentials.

Not sure if this is intentional, but very useful from my perspective.

BartekSzpak avatar Mar 11 '25 20:03 BartekSzpak

in case a user wants to publish to different indexes, would it be possible to have different UV_PUBLISH_ env vars? similarly to UV_INDEX_INDEXNAME_USERNAME, could we have UV_PUBLISH_INDEXNAME_USERNAME/PASSWORD

or what would be the preferred way to automate publishing to different indexes?

dzanaga avatar Mar 21 '25 10:03 dzanaga

I'd recommend running the two uv publish commands with different UV_PUBLISH_ values. If you're publishing from a local machine, you can also use the keyring support for dispatching.

konstin avatar Mar 21 '25 23:03 konstin

A closely related issue to this that I could consider part of it: Can we add the --env-file flag to uv publish? To be fair, it is not available for uv sync either (only uv run), but since sync runs in the background of uv run, you can already use a .env file to set index credentials. Maybe this needs a new issue?

EDIT: would there be anything problematic with this workaround? It does not seem to install uv again... uvx --env-file .env uv publish

rainermensing avatar May 26 '25 15:05 rainermensing